Azure Site Recovery Ransomware

Azure Site Recovery: Ransomware Protection / Solution?

TL:DR: It’s not.

A video by two Microsoft MVPs was posted on Microsoft’s website. It discusses Azure Site Recovery (ASR), which is a method to recover systems or services that have been attacked by ransomware. Their session is misleading. This blog article explains it.

1. Make a mistake: If you’re experiencing an attack right now, there is no time to waste. It is important to act quickly and make a decision. This is true. They went on to explain that ASR allows you to choose between Failover and Disable Copy.

Let’s first discuss the Disable Replication action. The Disable Replication action will disable replication for replicated items in the ASR vault. It will however remove all duplicated items as well as ALL its recovery points from the ASR vault. This means that you have no choice but to failover these items into Azure. Oops!

Second mistake: It is normal to do a failover when faced with a catastrophe. This isn’t taking into account the internal workings of ransomware. Azure Site Recovery will not allow you to save restore points for longer than 72 hours. Some ransomware doesn’t activate immediately and can cause havoc. Therefore, you might not be able to save restore points older than 72 hours in Azure Site Recovery. They just performed a simulation of an attack using a PowerShell script, which is not even close to what I would expect from a real attack.

What is the solution to ransomware, then?

It’s not ASR. ASR was never intended for ransomware protection.

To PROTECT your environment from ransomware, antivirus/antimalware software should be used such as Windows Defender. Windows Defender offers ransomware protection. This feature controls malicious apps’ unauthorized changes through controlled folder access.

To PROTECT, and RESTORE from ransomware attacks.

  • OneDrive is required for client OSes. It can be set up and used to retrieve maliciously deleted/encrypted files. OneDrive detects ransomware and will alert you and give you instructions on how to retrieve files that have been deleted or infected.
  • Install Azure Backup service as a backup solution for servers. Based on your backup policy retention, the Azure Backup service may have older retention points that you can restore to. Multi-factor authentication can be used to protect backups. The Azure Backup service can also be used in conjunction with the Site Recovery service.